In January, the EU starts running Bug Bounties on Free and Open Source Software

Update (16 January 2019): More bug bounties become live, have a look at the full list below!Update (10 January 2019): As some of you have already pointed out, the bounties haven’t been made public yet. I have been informed by the European Commission that the “start dates” they sent designate the start of the contract with the involved bug bounty platform, rather than the actual publication of the bounty. The publication date is found in collaboration with the software projects involved. Once they are ready, the bounties will be published. I will keep this blog post updated with more info as I receive it.

What happened so far

In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL. This type of software is called a library because it provides standard functions to a huge number of other softwares. And they subsequently suffered from the issue.

Since OpenSSL is also very important for the encryption of Internet traffic, it is also highly relevant to the protection of your personal communication, or your payment details when you’re shopping online.

The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things. But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.

That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.

FOSSA 2

In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software.

We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.

FOSSA Bug Bounties

In January, the EU is launching bug bounties on Free Software projects to increase the security of the Internet!Tweet this!

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey.

You can contribute to the projects below by analysing the software, and by submitting any bugs or vulnerabilities you find to the involved bug bounty platforms. Here is the list of Software projects and the bug bounties:

Two individuals. And don’t get it wrong : *MOST* of the OSS softwares are developped by very tiny teams, mostly on their own time, with no incentive to do it but the urge to scratch a itch, and the pleasure to work on something fun. And I’m not talking about unknown projects on a dark corner of The Internet, I’m talking about mainstream projects, used pretty much everywhere.

So, please, keep going with those bug bounties, but in the main time, don’t thing this will server any purpose than misplaced delusion of being useful. This is vain, really.

The way bigger problem is to fond those projects. To identify *real* contributors, and get them receive more than just a pat in the back and a public blame for the bug they left in the code they have written. To get them rewarded. That would be order of magnitude more efficient…

I am interested in vulnerabilities in public systems of institutions in Bulgaria, especially judicial one.
I want to take part in analysing and to apply for bug bounty.
Will You, please, inform me if such a project will be launched in Bulgaria or EU.
Thanks

This is extremely exciting as the major users should really show more responsibility for the projects they use. However, I find it weird that Notepad++ is on that list. It’s open source, yes, but it’s only available for Windows. There exists some clones, but that’s different code. Is this really good use of that much money? For something as trivial as Notepad++ there’s a lot of crossplatform open source alternatives. Should not a large organisation seek to use apps which are available to everyone whether they use Windows/Mac/Linux instead of making it’s users bound to a certain platform?